Bug 698903 - ghostscript-9.22: stack out of bounds read (underflow) in gs_type2_interpret
Summary: ghostscript-9.22: stack out of bounds read (underflow) in gs_type2_interpret
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-23 14:07 UTC by hanno
Modified: 2019-05-08 13:34 UTC (History)
0 users

See Also:
Customer:
Word Size: ---

Attachments
poc pdf (704 bytes, application/pdf)
2018-01-23 14:07 UTC, hanno 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description hanno 2018-01-23 14:07:58 UTC 
Created attachment 14633 [details]
poc pdf

The attached file will cause a stack out of bounds read in the function gs_type2_interpret.

This can be seen by compiling ghostscript with address sanitizer (-fsanitize=address in CFLAGS).

Here's the stack trace from asan:
==1361==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7fff9000c6d8 at pc 0x0000009bae32 bp 0x7fff9000c6b0 sp 0x7fff9000c6a8
READ of size 4 at 0x7fff9000c6d8 thread T0
    #0 0x9bae31 in gs_type2_interpret /f/ghostscript/ghostscript-9.22/./base/gstype2.c:381:46
    #1 0x1113e8e in copied_type1_glyph_outline /f/ghostscript/ghostscript-9.22/./devices/gxfcopy.c:1091:16
    #2 0x1519c66 in gs_default_glyph_info /f/ghostscript/ghostscript-9.22/./base/gsfont.c:1036:12
    #3 0x97f0b9 in gs_type1_glyph_info /f/ghostscript/ghostscript-9.22/./base/gxtype1.c:608:16
    #4 0x10af460 in pdf_compute_font_descriptor /f/ghostscript/ghostscript-9.22/./devices/vector/gdevpdtd.c:457:16
    #5 0x10b1720 in pdf_finish_FontDescriptor /f/ghostscript/ghostscript-9.22/./devices/vector/gdevpdtd.c:637:17
    #6 0x10fcd56 in pdf_finish_resources /f/ghostscript/ghostscript-9.22/./devices/vector/gdevpdtw.c:677:24
    #7 0xf5923b in pdf_close /f/ghostscript/ghostscript-9.22/./devices/vector/gdevpdf.c:2631:13
    #8 0x14f042a in gs_closedevice /f/ghostscript/ghostscript-9.22/./base/gsdevice.c:720:16
    #9 0x1ae58f1 in gs_main_finit /f/ghostscript/ghostscript-9.22/./psi/imain.c:951:20
    #10 0x578170 in main /f/ghostscript/ghostscript-9.22/./psi/gs.c:139:9
    #11 0x7f085c302f85 in __libc_start_main (/lib64/libc.so.6+0x20f85)
    #12 0x47f2b9 in _start (/r/gs/gs+0x47f2b9)

Address 0x7fff9000c6d8 is located in stack of thread T0 at offset 24 in frame
    #0 0x9b3e4f in gs_type2_interpret /f/ghostscript/ghostscript-9.22/./base/gstype2.c:125

  This frame has 4 object(s):
    [32, 224) 'cstack' (line 130) <== Memory access at offset 24 underflows this variable
    [288, 300) 'mask' (line 463)
    [320, 336) 'join' (line 729)
    [352, 368) 'end' (line 729)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow /f/ghostscript/ghostscript-9.22/./base/gstype2.c:381:46 in gs_type2_interpret
Comment 1 Chris Liddell (chrisl) 2018-01-24 01:08:08 UTC 
It would be extremely helpful if you included your exact command line, and the release version (or git SHA) that you test with.

I was able to reproduce the issue in this case, but in the future, lacking the above information may mean the bug being closed due to insufficient information.
Comment 2 Chris Liddell (chrisl) 2018-01-24 01:55:52 UTC 
Fixed in:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=eb5f2a85c5